What’s Wrong with PSKs and MAC...

What’s Wrong with PSKs and MAC Authentication for BYOD?

When a BYOD user or visitor needs network access, how do you roll out the welcome mat without leaving the door wide open to anyone who wanders by? Plenty of organizations use conventional pre-shared keys or MAC authentication to get BYOD users and visitors on the network. Seems reasonable—until you learn that these mechanisms come with serious security flaws. What’s so bad about traditional pre-shared keys (PSKs) and MAC authentication for guest and BYOD onboarding from an IT security perspective? Let’s find some answers.

What’s the problem with pre-shared keys?

When users ask for “the Wi-Fi password”, they are using the common vernacular for pre-shared keys. Suppose an IT administrator sets up a Wi-Fi SSID with an assigned PSK, and then simply gives that PSK to anyone who requires network access. Maybe you even use this approach yourself—why not? Well, for a few reasons.

Start with the fact that when you have a single Wi-Fi password, you have no way to control who has access to it. Users can—and do—share Wi-Fi passwords with others, even people you might not want to have access to your network.

When everybody’s sharing the same password, there’s also no way to revoke access to an individual user—say, when someone leaves the organization. Do you really want former employees to be able to just hop on your network after they’ve left? Probably not. But you can’t change that password without disrupting access for everyone—so you might be tempted never to change it. Not a good policy.

OK, then what about MAC Authentication?

At least PSKs encrypt data traffic in transit over the air. When you use MAC authentication to provide network access for BYOD and guest users, that’s not the case. Anyone can intercept that data traffic. Attackers also find it easy to spoof MAC addresses and thereby gain unauthorized access to the network.

Heard enough? There’s more.

With both PSKs and MAC authentication, you have no way to associate each device with a user. Suppose you become aware of a device that’s wasting bandwidth by downloading huge video files—and, even worse, it’s copyrighted content being downloaded illegally over your network. You would want to put a stop to that right away. If you have no way to link that device with a specific person, good luck figuring out who it is.

Secure environments use “role-based access” to control what different types of users can do on the network. On a K-12 school network, for example, you might want to let teachers access Netflix to play a documentary but block that application for students. Or you might need to restrict access to a server housing sensitive student data to only a few privileged users. If you use PSKs or MAC authentication to grant access, you can forget it—neither works with your infrastructure to support granular policy enforcement.

Additionally, neither traditional PSKs nor MAC authentication let you perform an up-front assessment of a device’s security posture, or automatically remediate any issues discovered. For example, before you let a BYOD user on the network, you probably want to make sure that tablet he’s about to connect has a passcode enabled. Otherwise, when it’s lost or stolen, an unauthorized user can get unfettered access to confidential data on your network. You also probably want to make sure that laptop a contractor just brought into your environment has the desktop firewall turned on, and current anti-malware protection in place, before you allow it to connect. These are sound, straightforward IT security practices—and you can’t use them if you’re using traditional PSKs or MAC authentication.

There’s a better way to do this.

A secure onboarding solution is an important element of a layered approach to IT security—and traditional PSKs and MAC authentication just don’t get the job done. Fortunately, Ruckus offers a solution that does: Cloudpath Enrollment System (ES). Cloudpath ES provides secure network access with role-based policy control for any user and any device—and you don’t have to swap out your WLAN or wired infrastructure to use it.

You’ll always need to get BYOD users and guests up and running. By putting aside legacy access methods, you can do it without giving away the keys to the kingdom.